{"id":"https://openalex.org/W3109217941","doi":"https://doi.org/10.1145/3372297.3423355","title":"Mnemosyne: An Effective and Efficient Postmortem Watering Hole Attack Investigation System","display_name":"Mnemosyne: An Effective and Efficient Postmortem Watering Hole Attack Investigation System","publication_year":2020,"publication_date":"2020-10-30","ids":{"openalex":"https://openalex.org/W3109217941","doi":"https://doi.org/10.1145/3372297.3423355","mag":"3109217941"},"language":"en","primary_location":{"id":"doi:10.1145/3372297.3423355","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3372297.3423355","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5007487580","display_name":"Joey Allen","orcid":"https://orcid.org/0000-0002-5503-4123"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Joey Allen","raw_affiliation_strings":["Georgia Institute of Technology, Atlanta, GA, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5044348012","display_name":"Zheng Yang","orcid":"https://orcid.org/0000-0001-8610-9936"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Zheng Yang","raw_affiliation_strings":["Georgia Institute of Technology, Atlanta, GA, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5053937867","display_name":"Matthew Landen","orcid":"https://orcid.org/0000-0003-3095-1619"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Matthew Landen","raw_affiliation_strings":["Georgia Institute of Technology, Atlanta, GA, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5051046115","display_name":"Raghav Bhat","orcid":null},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Raghav Bhat","raw_affiliation_strings":["Georgia Institute of Technology, Atlanta, GA, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5058322683","display_name":"Harsh Grover","orcid":"https://orcid.org/0000-0003-2133-8142"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Harsh Grover","raw_affiliation_strings":["Georgia Institute of Technology, Atlanta, GA, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5045732027","display_name":"Andrew Chang","orcid":"https://orcid.org/0000-0002-2185-2857"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Andrew Chang","raw_affiliation_strings":["Georgia Institute of Technology, Atlanta, GA, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101706684","display_name":"Yang Ji","orcid":"https://orcid.org/0000-0001-9512-867X"},"institutions":[{"id":"https://openalex.org/I4210108451","display_name":"Palo Alto Networks (United States)","ror":"https://ror.org/01rn6rn86","country_code":"US","type":"company","lineage":["https://openalex.org/I4210108451"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Yang Ji","raw_affiliation_strings":["Palo Alto Networks, Santa Clara, CA, USA"],"affiliations":[{"raw_affiliation_string":"Palo Alto Networks, Santa Clara, CA, USA","institution_ids":["https://openalex.org/I4210108451"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5071832270","display_name":"Roberto Perdisci","orcid":"https://orcid.org/0000-0002-7339-0041"},"institutions":[{"id":"https://openalex.org/I165733156","display_name":"University of Georgia","ror":"https://ror.org/00te3t702","country_code":"US","type":"education","lineage":["https://openalex.org/I165733156"]},{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Roberto Perdisci","raw_affiliation_strings":["Georgia Institute of Technology &amp; University of Georgia, Atlanta, GA, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology &amp; University of Georgia, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444","https://openalex.org/I165733156"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5047140382","display_name":"Wenke Lee","orcid":"https://orcid.org/0000-0003-2761-1277"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Wenke Lee","raw_affiliation_strings":["Georgia Institute of Technology, Atlanta, GA, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":9,"corresponding_author_ids":["https://openalex.org/A5007487580"],"corresponding_institution_ids":["https://openalex.org/I130701444"],"apc_list":null,"apc_paid":null,"fwci":1.0792,"has_fulltext":false,"cited_by_count":14,"citation_normalized_percentile":{"value":0.7997583,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"787","last_page":"802"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9991999864578247,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9991999864578247,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9991999864578247,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9980999827384949,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6645792126655579},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.6289229989051819},{"id":"https://openalex.org/keywords/anonymity","display_name":"Anonymity","score":0.5785830616950989},{"id":"https://openalex.org/keywords/adversary","display_name":"Adversary","score":0.5203694701194763},{"id":"https://openalex.org/keywords/bloom-filter","display_name":"Bloom filter","score":0.44221845269203186},{"id":"https://openalex.org/keywords/software-versioning","display_name":"Software versioning","score":0.43538641929626465},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.386817067861557},{"id":"https://openalex.org/keywords/internet-privacy","display_name":"Internet privacy","score":0.33238619565963745},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.16968438029289246},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.10927683115005493}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6645792126655579},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6289229989051819},{"id":"https://openalex.org/C178005623","wikidata":"https://www.wikidata.org/wiki/Q308859","display_name":"Anonymity","level":2,"score":0.5785830616950989},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.5203694701194763},{"id":"https://openalex.org/C147224247","wikidata":"https://www.wikidata.org/wiki/Q885373","display_name":"Bloom filter","level":2,"score":0.44221845269203186},{"id":"https://openalex.org/C198140048","wikidata":"https://www.wikidata.org/wiki/Q10859422","display_name":"Software versioning","level":3,"score":0.43538641929626465},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.386817067861557},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.33238619565963745},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.16968438029289246},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.10927683115005493},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3372297.3423355","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3372297.3423355","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions","score":0.6800000071525574}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":33,"referenced_works":["https://openalex.org/W187572568","https://openalex.org/W1109422923","https://openalex.org/W2013825673","https://openalex.org/W2048616039","https://openalex.org/W2051498836","https://openalex.org/W2061221009","https://openalex.org/W2084835421","https://openalex.org/W2095450067","https://openalex.org/W2137567142","https://openalex.org/W2213728018","https://openalex.org/W2284900416","https://openalex.org/W2293069947","https://openalex.org/W2317668908","https://openalex.org/W2350778671","https://openalex.org/W2579106964","https://openalex.org/W2597324766","https://openalex.org/W2766852928","https://openalex.org/W2790557990","https://openalex.org/W2792078641","https://openalex.org/W2792591096","https://openalex.org/W2793337260","https://openalex.org/W2912412735","https://openalex.org/W2947745012","https://openalex.org/W2962703433","https://openalex.org/W2998038410","https://openalex.org/W3006711782","https://openalex.org/W3007878096","https://openalex.org/W3008508243","https://openalex.org/W3008991042","https://openalex.org/W3015650867","https://openalex.org/W3016038045","https://openalex.org/W3047582645","https://openalex.org/W3105780912"],"related_works":["https://openalex.org/W2086572746","https://openalex.org/W2604468458","https://openalex.org/W4383746662","https://openalex.org/W2969366455","https://openalex.org/W2610828280","https://openalex.org/W3129391636","https://openalex.org/W2057119605","https://openalex.org/W1779549899","https://openalex.org/W2182490965","https://openalex.org/W250425271"],"abstract_inverted_index":{"Compromising":[0],"a":[1,10,15,30,35,41,129,155,173,206],"website":[2,37,112,189],"that":[3,93,107,110,134,238],"is":[4,90,113,115],"routinely":[5],"visited":[6],"by":[7,60,197,266,270],"employees":[8,226],"of":[9,55,68,120,148,175,180,262],"targeted":[11,218],"organization":[12],"has":[13,74],"become":[14],"popular":[16],"technique":[17],"for":[18],"nation-state":[19],"level":[20],"adversaries":[21],"to":[22,38,62,80,95,100,140,160,166,184,210,222,229,245],"penetrate":[23],"an":[24,101],"enterprise's":[25],"network.":[26,48],"This":[27],"technique,":[28],"dubbed":[29],"\"watering":[31],"hole\"":[32],"attack,":[33],"leverages":[34],"compromised":[36,114,191],"serve":[39],"as":[40],"stepping":[42],"stone":[43],"into":[44],"the":[45,56,64,69,111,117,121,146,167,188,198,213,217,230,247,260,267],"true":[46,248],"victims'":[47],"Despite":[49],"watering":[50,85,149,254],"hole":[51,86,150,255],"attacks":[52],"being":[53],"one":[54],"main":[57],"techniques":[58,177],"used":[59],"attackers":[61],"achieve":[63],"initial":[65],"compromise":[66],"stage":[67,119],"cyber":[70],"kill":[71],"chain,":[72],"there":[73,89],"been":[75],"relatively":[76],"little":[77],"research":[78],"related":[79,165],"detecting":[81,109],"or":[82],"investigating":[83],"complex":[84],"attacks.":[87,151],"While":[88],"existing":[91],"work":[92],"seeks":[94,221],"detect":[96],"malicious":[97,214],"modifications":[98,194,215],"made":[99,196],"otherwise":[102],"benign":[103],"website,":[104],"we":[105,126,236],"argue":[106],"simply":[108],"only":[116],"first":[118],"investigation.":[122],"In":[123],"this":[124,201],"paper,":[125],"propose":[127],"Mnemosyne,":[128],"postmortem":[130],"forensic":[131,240,268],"analysis":[132,209,241,264],"engine":[133,242],"relies":[135,153,204],"on":[136,154,178,205,272],"browser-based":[137],"attack":[138],"provenance":[139],"accurately":[141],"reconstruct,":[142],"investigate,":[143],"and":[144,192,220],"assess":[145,211],"ramifications":[147],"Mnemosyne":[152,171,203],"lightweight":[156],"browser-modification-free":[157],"auditing":[158],"daemon":[159],"passively":[161],"collect":[162],"causality":[163,182],"logs":[164,183],"browser's":[168],"execution.":[169],"Next,":[170],"applies":[172],"set":[174],"versioning":[176],"top":[179],"these":[181],"precisely":[185],"pinpoint":[186],"when":[187],"was":[190,243],"what":[193],"were":[195],"adversary.":[199],"Following":[200],"step,":[202],"novel":[207],"user-level":[208],"how":[212],"affected":[216],"enterprise":[219],"identify":[223,246],"exactly":[224],"which":[225],"fell":[227],"victim":[228],"attack.":[231],"Throughout":[232],"our":[233],"extensive":[234],"evaluation,":[235],"found":[237],"Mnemosyne's":[239],"able":[244],"victims":[249],"in":[250],"all":[251],"seven":[252],"real-world":[253],"scenarios,":[256],"while":[257],"also":[258],"reducing":[259],"amount":[261],"manual":[263],"required":[265],"analyst":[269],"98.17%":[271],"average.":[273]},"counts_by_year":[{"year":2025,"cited_by_count":6},{"year":2024,"cited_by_count":1},{"year":2023,"cited_by_count":3},{"year":2022,"cited_by_count":3},{"year":2020,"cited_by_count":1}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}